2004.12868v1 [cs.FL] 27 Apr 2020 


arXiv 


Timed games and deterministic separability 
Lorenzo Clemente 


University of Warsaw, Poland 


clementelorenzoQgmail.com 
Sławomir Lasota 


University of Warsaw, Poland 


slQ@mimuw.edu.pl 
Radosław Piórkowski 


University of Warsaw, Poland 


r.piorkowskiQ@mimuw.edu.pl 


Abstract 


We study a generalisation of Biichi-Landweber games to the timed setting. The winning condition is 


specified by a non-deterministic timed automaton with epsilon transitions and only Player I can 
elapse time. We show that for fixed number of clocks and maximal numerical constant available to 
Player II, it is decidable whether she has a winning timed controller using these resources. More 
interestingly, we also show that the problem remains decidable even when the maximal numerical 
constant is not specified in advance, which is an important technical novelty not present in previous 
literature on timed games. We complement these two decidability result by showing undecidability 
when the number of clocks available to Player II is not fixed. 

As an application of timed games, and our main motivation to study them, we show that they 
can be used to solve the deterministic separability problem for nondeterministic timed automata 
with epsilon transitions. This is a novel decision problem about timed automata which has not been 
studied before. We show that separability is decidable when the number of clocks of the separating 
automaton is fixed and the maximal constant is not. The problem whether separability is decidable 
without bounding the number of clocks of the separator remains an interesting open problem. 
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Timed games and deterministic separability 


I Introduction 


Separability. Separability is a classical problem in theoretical computer science and math- 
ematics. A set S separates two sets L, M if L C Sand SN M = @. Intuitively, a separator 
S provides a certificate of disjointness, yielding information on the structure of L, M up 
to some granularity. There are many elegant results in computer science and mathematics 
showing that separators with certain properties always exist, such as Lusin’s separation 
theorem in topology (two disjoint analytic sets are separable by a Borel set), Craig’s inter- 
polation theorem in logic (two contradictory first-order formulas can be separated by one 
containing only symbols in the shared vocabulary), in model theory (two disjoint projective 
classes of models are separable by an elementary class), in formal languages (two disjoint 
Biichi languages of infinite trees are separable by a weak language, generalising Rabin’s 
theorem [45]), in computability (two disjoint co-recursively enumerable sets are separable by 
a recursive set), in the analysis of infinite-state systems (two disjoint languages recognisable 
by well-structured transition systems are regular separable [16]), etc. 

When separability is not trivial, one may ask whether the problem is decidable. Let C 
and S be two classes of sets. The S-separability problem for C amounts to decide whether, 
for every input sets L,M € C there is a set S € S separating L, M. Many results of this 
kind exist when C is the class of regular languages of finite words over finite alphabets, 
and S ranges over piecewise-testable languages [41] [[7] (later generalised to context-free 
languages [18] and finite trees [27]), locally and locally threshold testable languages [42], 
first-order logic definable languages [44] (generalised to some fixed levels of the first-order 
hierarchy [43]). For classes of languages C beyond the regular ones, decidability results 
are more rare. For example, regular separability of context-free languages is undecidable 
[46] [31] [33]. Nonetheless, there are positive decidability results for separability problems 
on several infinite-state models, such as Petri nets [12], Parikh automata [II], one-counter 
automata [15], higher-order and collapsible pushdown automata [29] [13], and others. 

In this paper, we go beyond languages over finite alphabets, and we study the separability 
problem for timed languages, which we introduce next. 


Timed automata. Nondeterministic timed automata are one of the most widespread model 
of real-time reactive systems. They consist of finite automata extended with real-valued 
clocks which can be reset and compared by inequality constraints. Alur and Dill’s seminal 
result showed PSPACE-completeness of the reachability problem [3], for which they received 
the 2016 Church Award [i]. This paved the way to the automatic verification of timed 
systems, eventually leading to mature tools such as UPPAAL [6], UPPAAL Tiga (timed 
games) [IO], and PRISM (probabilistic timed automata) [35]. The reachability problem is 
still a very active research area to these days [22] BO] [2] [25] [26] [28], as well as expressive 
generalisations thereof, such as the binary reachability problem [14] [20] B4 [24]. 

Deterministic timed automata form a strict subclass of nondeterministic timed automata 
where the next configuration is uniquely determined from the current one and the timed 
input symbol. This class enjoys stronger properties, such as decidable universality /inclusion 
problems and complementability [3], and it is used in several applications, such as test 
generation [40], fault diagnosis [7], learning [50] [47]; defining winning conditions in timed 
games [4 [32] [8], and in a notion of recognisability of timed languages [37]. 

The k, m-deterministic separability problem asks, given two nondeterministic timed auto- 
mata A and 6 with epsilon transitions, whether there exists a deterministic timed automaton 
S with k clocks and maximal constant bounded by m s.t. L(S) separates L(A), E(B). Like- 
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wise one defines k-deterministic separability, where only k is fixed but not m. We can see A 
as recognising a set of good behaviours which we want to preserve and 6 recognising a set of 
bad behaviours which we want to exclude; a deterministic separator, when it exists, provides 
a compromise between these two conflicting requirements. To the best of our knowledge, 
separability problems for timed automata have not been investigated before. Our first main 
result is decidability of k,m and k-deterministic separability. 


> Theorem 1.1. The k,m and k-deterministic separability problems are decidable. 


Decidability of deterministic separability should be contrasted with undecidability of the 
corresponding membership problem [23] [49]. This is a rare circumstance, which is shared 
with languages recognised by one-counter nets [I5], and conjectured to be the case for the 
full class of Petri net languaged"] We solve the separability problem by reducing to an 
appropriate timed game (c.f. Theorems [1.2] and [1.3] below). This forms the basis of our 
interest in defining and studying a non-trivial class of timed games, which we introduce next. 


Timed games. We consider the following timed generalisation of Biichi-Landweber games 
[9]. There are two players, called Player I and Player II, which play taking turns in a strictly 
alternating fashion. At the i-th round, Player I selects a letter a; from a finite alphabet and a 
nonnegative timestamp t; from R>o, and Player II replies with a letter b; from a finite alphabet. 
At doomsday, the two players have built an infinite play m = (a1, b1, t1) (a2, b2, t2)---, and 
Player I wins if, and only if, m belongs to her winning set, which is a timed langauge 
recognised by a nondeterministic timed automaton with ¢-steps. For a fixed number of clocks 
k € N and maximal constant m € N, the k, m-timed synthesis problem asks whether there 
is a finite-memory timed controller for Player II using at most k clocks and guards with 
maximal constant bounded by m in absolute value, ensuring that every play m conform to the 
controller is winning for Player II. Our second contribution is decidability of this problem. 


> Theorem 1.2. For every fired k,m € N, the k,m-timed synthesis problem is decidable. 


We reduce to an untimed finite-state game with an w-regular winning condition [9]. This 
should be contrasted with undecidability of the same problem when the set of winning plays 
for Player II is a nondeterministic timed language (c.f. [ZI] for a similar observation). The 
k-timed synthesis problem asks whether there exists a bound m € N s.t. the k,m-timed 
synthesis problem has a positive answer for Player II, which we also show decidable. 


> Theorem 1.3. For every fired k € N, the k-timed synthesis problem is decidable. 


This requires the synthesis of the maximal constant m, which is a very interesting a technical 
novelty not shared with the current literature on timed games. We design a protocol whereby 
Player II demands Player I to be informed when clocks elapse one time unit. We require 
that the number of such consecutive requests be finite, yielding a bound on m (when such a 
value exists). 

Finally, we complement the two decidability results above by showing that the synthesis 
problem is undecidable when the number of clocks k available to Player II is not specified in 
advance (c.f. Theorem |6.1). 

There are many variants of timed games in the literature, depending whether the players 
must enforce a nonzeno play, who controls the elapse of time, concurrent actions, etc. 


1 All these classes of languages have a decidable disjointness problem, however regular separability is not 


always decidable in this case [48]. 
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[51] [38] (5) 21 [9]. In this terminology, our timed games are asymmetric (only Player I can 
elapse time) and turn-based (the two players strictly alternate). 


[2 Preliminaries 


Let R be the set of real numbers and Ro the set of nonnegative real numbers. For two 
sets A and B, let their Cartesian product be A- B. Let A? = {e}, and, for every n > 0, 
A"t! = A.A”. The set of finite sequences over A is A* = 5, A”, A“ is the set of infinite 
sequences, and A% = A* U A”. A (monotonic) timed word over a finite alphabet © is 
a sequence w = (a1, 11) (d2,te):-- E€ (© - Rso)® s.t. O < tı < te <---, and it is strictly 
monotonic if 0 < tı < t2 <---. A timed language over © is a set L C (£ -R>0o)™ of monotonic 
timed words; it is strictly monotonic if it contains only strictly monotonic timed words. 
The untiming untime(w) of a timed word w as above is the word aga, -++ € X° obtained 
from w by removing the timestamps, which is extended to timed languages L pointwise as 
untime(L) = {untime(w) | w € L}. 


Clocks, constraints, and regions. Let X = {x,,...,x,} be a finite set of clocks. A clock 
valuation is a function u € R&, assigning a nonnegative real number u(x) to every clock 
x € X. For a nonnegative time elapse ô € R>o, we denote by u + 6 the valuation assigning 
p(x) + ô to every clock x; for a set of clocks Y C X, let u[Y + 0] be the valuation which is 0 
on Y and agrees with u on X \ Y. We write puo for the clock valuation mapping every clock 
x € X to uo(x) = 0. A clock constraint is a quantifier-free formula of the form 


p,p u= true | false |x;-—x;~z|xi~z|-~| pny] yyy, 


where ~E {=,<,<,>,>} and z € Z. A clock valuation p satisfies a constraint y, written 
L E y, if interpreting each clock x; by u(x) makes y true. A constraint y defines the set 
ly] = {u € RS | u & ọ} of all clock valuation it satisfies. When the set of clocks is fixed to 
X and the absolute value of constants is bounded by m € N, we speak of X, m-constraints. Two 
valuations u,v € RŠ% are X,m-region equivalent, written 1 ~x,m V, if they satisfy the same 
X, m-constraints. An X, m-region [u]x,m C R& > is an equivalence class of clock valuations 
w.r.t. ~x,m- For fixed finite X and m € N there are finitely many X, m-regions; let Reg(X,m) 
denote this set. Let uo = Ax.0 and ro = [Mo]x,m be its region. We write r = ọ for a 
region r € Reg(X,m) whenever u | ọ for some p € r (equivalently, for all such p’s). The 
characteristic clock constraint pr of a region r € Reg(X,m) is the unique constraint (up to 
logical equivalence) s.t. [pr] = r. When convenient, we deliberately confuse regions with 
their characteristic constraints. For two regions r,r’ € Reg(X,m) we write r < r’ whenever 
r = [ulxm, vr’ = [u + 4]x,m for some 6 > 0, andr # r’. 


Timed automata. A (nondeterministic) timed automaton is a tuple A = (5,L,X,1,F,A), 
where © is a finite input alphabet, L is a finite set of control locations, X is a finite set of 
clocks, I,F C L are the subsets of initial, resp., final, control locations, and A is a finite 
set of transition rules of the form tr = (p,a,y,Y,q) € A, with p,q E€ L control locations, 
a € Ye := UU {e}, y a clock constraint to be tested and Y C X the set of clocks to be 
reset to 0. A configuration of a timed automaton A is a pair (p, u) consisting of a control 
location p € L and a clock valuation u € RŠ. It is initial if p is so and u = po. It is 
final if p is so. Every transition rule tr induces a discrete transition between configurations 
(p, u) *, (q, v) when u H y and v = [Y + 0]. Intuitively, a discrete transition consists of a 
test of the clock constraint y, reset of clocks Y, and step to the location g. Moreover, for 
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every nonnegative ô € Rso and every configuration (p, 4) there is a time-elapse transition 


(p, u) 2 (p, + ô). The timed language ¢-recognised by A, denoted L(A), is the set of 


finite timed words w = (a1, t1)---(@n,tn) E€ (Ye-Rso)* s.t. there is a sequence of transitions 


ô nôn ENE 
(po, o) ey, Se (Pn; Hn) Where po € I is initial, o(x) = 0 for every clock x € X, 


Pn E F is final, and, for every 1 <i < n, 6; = ti — t;-1 (where tp = 0) and tr; is of the form 
(pi-1, Qi, __, __, Pi). The timed w-language LY (A) C (X--Rso)” is defined in terms of sequences 
as above with the condition that p; € F infinitely often. We obtain the timed language 
L(A) = n(£-(A)) C (©-Rso)*, resp., w-language L“(A) = 1(LY(A))N(]-Rso)” C (Z-Ro) 
recognised by A, where 7 is the mapping that removes letters of the form (¢,_). 

A timed automaton (without ¢-transitions) is deterministic if it has exactly one initial 
location and, for every two rules (p,a,v,Y,q), (p,a,y’,Y’,q’) with [p A y’] 4 9, we have 
Y = Y’ and q = q’. We write NTA, DTA for the classes of nondeterministic, resp., deterministic 
timed automata without epsilon transitions. When the number of clocks in X is bounded 
by k we write k-NTA, resp., k-DTA. When the absolute value of the maximal constant is 
additionally bounded by m € N we write k,m-NTA, resp., k, m-DTA. When epsilon transitions 
are allowed, we write NTA®. A timed language is called NTA language, DTA language, and 
so on, if it is recognized by a timed automaton in the respective class. A k,m-DTA with 
clocks X is regionised if each constraint is a characteristic constraint Yy of some region 
r € Reg(X,m) and for each location p, input a € £, and r € Reg(X,m) there is a (necessarily 
unique) transition rule of the form (p,a, yr, Y,q). It is well-known that a k,m-DTA can be 
transformed into an equivalent regionised one by adding exponentially many transitions. 


> Example 2.1 (NTA language which is not a DTA language). Let © = {a} be a unary alphabet 
and let L be the set of timed words of the form (a,t,)---(a,tn) S.t. tn — ti = 1 for some 
1<i<n. L= L(A) for the timed automaton A = (%,L,X,1,F,A) with a single clock 
X = {x} three locations L = {p,q,r}, of which I = {p} is initial and F = {r} is final, and 
transitions rules (p,a, true, 0, p), (p,a, true, {x},q), (q,a,x < 1,0,q), (¢,a,x=1,0,r) € A. 
Intuitively, in p the automaton waits until it guesses that the next input will be (a, ti), at 
which point it moves to q by resetting the clock (and subsequently reading a). From q, the 
automaton can accept by going to r only if exactly one time unit elapsed since (a, t;). There 
is no DTA recognising L, since in order to recognise L deterministically one must store all 
timestamps in the last unit interval, and thus no bounded number of clocks suffices. 


> Example 2.2. The complement of L from Example can be recognised by an NTA 
with two clocks. Indeed, a timed word (a,t1)---(a,t») is not in L if either of the following 
conditions hold: 1) its length n is at most 1, or 2) the total time elapsed between the 
first and the last letter is less than one time unit tn — tı < 1, or 3) there is a position 
1l<i<nst.t,—t > 1 and tn —tj4, < 1. It is easy to see that two clocks suffice to 
nondeterministically check the conditions above. 


Since checking whether an NTA recognises a deterministic language is undecidable [23] [49], 
there is no recursive bound on the number of clocks sufficient to deterministically recognise 
an NTA language (whenever possible). Thus NTA can be non-recursively more succinct than 
DTA w.r.t. number of clocks. However, in general such NTA recognise timed languages whose 
complement is not an NTA language. The next example shows a timed language which is 
both NTA and co-NTA recognisable, however the number of clocks of an equivalent DTA is at 
least exponential in the number of clocks of the NTA. 


> Example 2.3. For k € N, let Lp be the set of strictly monotonic timed words (a, t1) «++ (a, tn) 
S.t. tn — ti = 1 where i = n — 2%. The language Ly can be recognised by a (2 - k + 2)-clock 
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NTA Ax of polynomial size. There are clocks xo, X1,...,Xķ and yo,y1,---,;yx- Clock xo is 
used to check strict monotonicity. Clock yo is reset when the automaton guesses (a,t;). The 
automaton additionally keeps track of the length of the remaining input. This is achieved by 
implementing a k-bit binary counter, where x; = y; represents that the j-th bit is one. In 
order to set the j-th bit to one, the automaton resets x;, yj; to set it to zero, it resets only xj. 
This is correct thanks to strict monotonicity. At the end the automaton checks yo = 1 and 
that the binary counter has value 2%. Any deterministic automaton recognising Ly requires 
exponentially many clocks to store the last 2" timestamps. The complement of Lẹ can be 
recognised by a (2-k + 2)-clock NTA of polynomial size. Indeed, a timed word is not in Ly if 
any of the following conditions hold: 1) its length n is < 2}, or 2) tn — t; < 1 with i = n—2*, 
or 3) tn — ti > 1 with i = n — 2¥. The automaton guesses which condition holds and uses a 
k-bit binary counter as above to check that position i has been guessed correctly. 


[3] Timed synthesis games 


Let A and B be two finite alphabets of actions and let W C (A: B- Rso)” be a language 
of timed w-words over the alphabet A - B. The timed synthesis game G4,p(W) is played 
by Player I and Player II in rounds. At round i > 0, Player I chooses a timed action 
ai: ti € A-Rso and Player II replies immediately with an untimed action b; € B. The game 
is played for w rounds, and at doomsday the two players have produced an infinite play 


T = a,b, t agbate Hie E (A -B. R>o)”. (1) 


Player I wins the game if, and only if, 7 € W. 

Let k € N bea bound on the number of available clocks X = {x1,.. . , Xg}, and let m € N be 
a bound on the maximal constant. A k,m-controller for Player II in G4,g(W) is a regionised 
k,m-DTA M = (A, B,L, lo, ô) with input alphabet A and output alphabet B, where L is a set 
of memory locations, £9 € L is the initial memory location, and 6: L- A-Reg(k,m) > L- B- 2* 
is the update function mapping the current memory £ € L, input a € A, and region 
yp € Reg(k,m) to ô&(L,a, p) = (@,0, Y), where @ € Lis the next memory location, b € B is an 
output symbol, and Y C X is the set of clocks to be reset. 

We define by mutual induction the notion of M-conform partial runs Run(M) CL-R&,- 
(A: B-Rso-L-R&,)*, and the strategy |M] : Run(M)-A-Rso > L- R&,- B induced by 
the controller on conform runs as follows: Initially, (lo, po) € Run(M), where uo(x) = 0 for 
every clock x € X. Inductively, for every n > 0 and every M-conform partial run 


p = (lo, Ho) (a1, b1, t1, C1, M1) + (an, bn, tn, ln, Hn) € Run( M), (2) 


and for every (an+1;tn+1) € A- R>0, we define [M] (9+ an+1 ` tn+1) = (€n41, Hn+1; bn41) 
for the unique (ln+1, Hn+1;bn+1) € L- RZ- B s.t. bps an1, Punting) = (not, bn41, Y) 
and pn+1 = (tn + ôn+1)[Y 4 0], where dns1 = tn+1 — tn (with to = 0). Moreover, p- 
an+1 ` bn+1 ` tn+1 ` ln4i + Hn41 E Run( M). An infinite M-conform run is any sequence 
p € L- RŽo: (A: B- Rso-L- Ro)“ such that every finite prefix thereof is M-conform; 
let Runu (M) be the set of such p’s. Let r2p(p) € (A: B - Rso)” be the corresponding play 
mt = r2p(p) as in obtained by dropping locations and clocks valuations. The controller 
M is winning if every infinite M-conform run p satisfies r2p(p) ¢ W. A k-controller is 
k, m-controller for some m € N. For fixed k, m € N, the k,m-timed synthesis problem asks, 
given A, B and an NTA® timed language W C (A-B-Rso)”, whether Player II has a winning 
k, m-controller in G4,3(W); the k-timed synthesis problem asks instead for a k-controller; 
finally, the timed synthesis problem asks whether there exists a controller. The 0, 0-timed 
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synthesis problem is equivalent to untimed synthesis problem, which is decidable by the 
Büchi-Landweber Theorem [9] Theorem 1’: 


> Lemma 3.1. The 0,0-synthesis problem is decidable. 


‘4 Deterministic separability 


In this section we prove our first main result Theorem we show that the k,m and 
k-deterministic separability problems are decidable. We begin with a motivating example of 
nonseparable languages. 


> Example 4.1. Consider the NTA language L from Example Thanks to Example 
its complement is also a NTA language. Since neither L nor its complement are deterministic, 
they cannot be deterministically separable. 


Moreover, a deterministic separator, when it exists, may need exponentially many clocks. 


> Example 4.2. We have seen in Example an O(k)-clock NTA language s.t. 1) its 
complement is also an O(k)-clock NTA language, and 2) any DTA recognising it requires 2% 
clocks. Thus, a deterministic separator may need exponentially many clocks in the size of 
the input NTA. 


In the rest of the section we show how to decide the separability problems. We reduce 
the k, m-deterministic separability to k, m-timed synthesis, and k-deterministic separability 
to k-timed synthesis, for every fixed k,m € N. Let A, B be two NTA over alphabet X, and 
let X be a set of k clocks. We build a timed synthesis game where the two sets of actions are 


A= (Player J), B = {acc, rej} (Player II). 


We define a projection function proj(a, b, t) = (a, t), which is extended pointwise to finite and 
infinite timed words proj((ao, bo, to) (a1, 01, t1) +++) = (ao, to) (a1, #1) --- and timed languages 
proj(L) = {proj(w) |w € LC (A- B-Rso)”}. Let Acc, Rej C (A- B - Rso)* be sets of those 
timed words ending in a timed letter of the form (_,acc,_), resp., (_,rej,__). The winning 
condition for Player I is 


Wo = (proj~*(Z(A)) A Rej U proj~'(L(B)) N Acc) «(A+ B - R>o)®. (3) 


Crucially, we observe that Wo is a NTA® language since L(A), L(B), Rej, Acc are so, and this 
class is closed under inverse homomorphic images, intersections, and unions. The following 
lemma states the correctness of the reduction. 


> Lemma 4.3. There is a k, m-controller for Player I in GA, B(Wo) if, and only if, L(A), L(B) 
are k, m-deterministically separable. 


Proof. Let M = (A, B,L, lo, ô) be a winning k, m-controller for Player II in G = G4,p(Wo). 
Let X = {x1,...,Xķ} be clocks of M. We construct a separator S = (£,L x B,X,I,F,A) € 


r apt bi 


k, m-DTA, where I = { (Zo, acc)} if € € L(A) and I = { (20, rej)} otherwise, F = L x {acc}, and 
((2,6),a,9,¥,(€,6'))€A if, and only if, 4(¢,a,) = (¢,0',Y). (4) 


We show that L(S) separates L(A), L(B) using the fact that S is deterministic. In order 
to show L(A) C L(S), let w = (a1, t1)-++(@n,tn) € L(A) and let Player I play this timed 
word in G. Let the corresponding M-conform partial play be m = (a1, bi, t1) +++ (an, bn, tn). 
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Since M is winning, m does not extend to an infinite word in Wọ, and in particular m ¢ 
proj '(L(A)) N Rej. But proj(7) = w € L(A) by assumption, and thus b,, = acc. The unique 
run of S on w ends up in an accepting control location of the form (_, bn), and thus w € L(S), 
as required. The argument showing that L(S) A L(B) = 9 is similar, using the fact that S is 
deterministic and must reach bn = rej and thus reject all words (a1, t1) +++ (an, tn) € L(B). 

For the other direction, let S = (H,L,X, {é},F,A) € k,m-DTA be a deterministic 
separator. We construct a winning k,m-controller for Player II in G of the form M = 
(A, B,L, 0,6) where 6(¢,a,y) = (@’,b, Y) for the unique Y, @’,b s.t. (€,a,y,Y,@) € A and 
b = acc iff @ € F. In order to argue that M is winning in G, let m = (a1, b1, t1) (a2, bo, t2) +--+ € 
(A. B-Rso)” be an M-conform play. By construction of M we have: 


> Claim 4.4. For every finite nonempty prefix n’ = (a1, 01,t1)--+ (an, bn, tn) of T, proj(’) € 
L(S) if, and only if b„ = acc. 


Knowing that L(A) C S, we deduce that no prefix of m belongs to proj~'(L(A)) N Rej. Simil- 
arly, knowing that L(S)NL(B) = 0, we deduce that no prefix of m belongs to proj~'(Z(B))NAcc. 
Thus 7 ¢ Wo and therefore M is winning. < 


Proof of Theorem [1.1] Lemma [4.3] provides a reduction from the k, m-deterministic separ- 
ability problem to the k,m-timed synthesis problem. The latter problem is decidable by 
Theorem [I.2] Since the construction in Lemma [4.3]is independent of m, it provides also a 
reduction from the k-deterministic separability problem to the k-timed synthesis problem. 
The latter problem is decidable by Theorem|1.3 < 


[5 Solving the timed synthesis problems 


The second main result of this paper is decidability of the k, m-timed synthesis problem 
and of the k-synthesis problem, i.e., when the maximal constant m is not specified in 
advance (Theorems and|1.3). This will be achieved in four steps. In the first two steps 
(see Appendices me oe make certain easy simplifying assumptions that winning 
conditions W are strictly monotonic, and zero-starting: all words (a1, t1) (a2, t2)--- € W 
satisfy tı = 0. The main technical construction is in Section [5.1] where we prove Theorem|1.2 
in such a way that we will easily obtain Theorem [1.3] as a corollary thereof in Section 

The decidability results of this section are tight, since timed synthesis is undecidable 
when k is not fixed (c.f. Theorem 6.1). 


5.1 Solving the k, m-timed synthesis problem 


In this section we prove Theorem [1.2] by reducing the k,m-timed synthesis problem to a 
0, 0-timed synthesis problem, which is decidable by Lemma [8.1] This is the most technically 
involved section. The structure of the reduction will be useful in Section to show 
decidability of the k-timed synthesis problem. 

Let X be a fixed set of clocks of size |X| = k and let m € N be a fixed bound on constants. 
We reduce the k, m-synthesis problem to the 0, 0-synthesis problem by designing a protocol 
in which Player II, to compensate his inability to measure time elapse, can request certain 
clocks to be tracked. In addition, we design the Player I’s winning condition that obliges 
her to remind whenever the value of any tracked clock is an integer, by submitting expiry 
information one time unit after a corresponding request. 

Let fract(x) stand for the fractional part of the value of a clock x. For Y1,Y2 C X, two 
(partial) clock valuations u € Riy; vE RY, are fractional region equivalent if Yj = Y2 and 
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they exhibit the same relations between fractional parts of clocks: u — fract(x) < fract(x’) 
iff v — fract(x) < fract(x’) and u } fract(x) = 0 iff v } fract(x) = 0, for all x,x’ € Yı. By 
a (partial) fractional X-region f we mean an equivalence class of this equivalence relation. 
All elements u € R$% in f have the same domain Y, which we denote by dom(f) = Y. Let 
O(£) = {x € dom(f) | f — fract(x) = 0}. Let FReg(X) be the set of all fractional X-regions, 
including the empty one fo with dom(fo) = Ø. For r € Reg(X,m) and f € FReg(X), we say 


that f agrees with r if they give the same answer for clocks x,y € dom(£): 


= f — fract(x) < fract(y) if, and only if, r H fract(x) < fract(y) Vx >mVy >m; 
f } fract(x) = 0 if, and only if, r — fract(x) =OVx>m. 


The successor relation between regions induces a corresponding relation between fractional 
regions: f < f’ whenever dom(f£) = dom(f’), f agrees with some r, f’ agrees with some r’, 
and r < r’. The immediate successor is the minimal f’ with f < f’. Finally, the successor 
region of r agreeing with f is SUCCx,m(r, f) = minx {r’ > r | f agrees with r’}. In the sequel 
we apply clock resets also to regions r[Y ++ 0] and fractional regions. 

Let the original game G = GA, ,g(W) have action alphabets A, B and Player I’s winning 
condition W C (A- B-Rso)”. Thanks to Appendices [B.1]and [B.2] we assume that W is 
both strictly monotonic and zero starting. We design a new game G” = G4/,p/(W, ,,) as 
follows. We take as the new action alphabets the sets 


A’ = (AU{O})-FReg(X) and B’ = (Bu {o})-2%. (5) 


The players’ action sets A’, B’ depend only on the set of clocks X and do not depend on the 
maximal constant m. Moves of the form (,__) are improper and the other ones (i.e., those 


involving an A or B component) are proper. Let an infinite play be of the form 


n = (a4, b1, t1) (a5, bb, t2)--- E€ (A’- B’- Rso)”, with a, = (ai, fi) and b; = (b;,Y;). (6) 


The domain T; = dom(f;) of a fractional region denotes the clocks tracked at time ty, i.e., 
those for which Player I needs to provide expiry information. Sets Y;’s denote clocks which 
Player II wants to be continued to be tracked: by an x-request at time t; we mean a Player 
Il’s move b; with x € Y;. An x-request at time t; is cancelled if there is another x-request 
for the same clock at some time t; < u < ti +1. An improper x-request chain starting at 
time t; of length l > 1 is a sequence of improper non-cancelled x-requests at times t;, ti + 1, 
..., ti +1 — 2, followed by an improper (but possibly cancelled) x-request at time t; + 1-1. 
Likewise one defines an infinite improper x-request chain starting at time ti. 


> Example 5.1. Before defining the winning set W% „m formally, we illustrate the underlying 
idea. Consider the following partial play (a1, 61,0) (a2, b2, 4.2) (a3, b3,6) € (A - B-Rso)* in 
G: 


0 1 2 3 4 5 6 


In G’, Player II demands Player I to provide clock expiry information. Let X = {x,y} and 
m = 3. Suppose Player II wants to make sure that a comes at time > 3. To this end, she 
makes an x-request chain of length 3 (we write X instead of fract(x); £4 denotes the fractional 
X-region agreeing with ¢): 
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4 5 6 


emulated 


(a2, fo) 


| (b2, ty}) 


(b3, {y}) 


’ fz=0) 


The length of an x-chain at any given moment corresponds to the integral part of x; the 
expiry information for x is provided by Player I precisely when the fractional part of x is 0. 


In order to define Wy m it will be convenient to have the following additional data 
extracted from 7. Let 6; = ti — t;-1 > 0 be the time elapsed by Player I at round i (with 
to = 0). Furthermore, let vo = Ax - 0 be the initial clock valuation, and, for i > 0, let 


Vii = (vi + ĝi+1)[Yi+1 > 0]. (7) 


In words, every x-request is interpreted as reset of clock x. The winning condition Wg m in 
the new game will impose, in addition to W, the following further conditions to be satisfied 
by Player I in order to win. Let W} C (A' - B’- R>o)” be the set of plays 7 as in (6) which 
are zero-starting (tı = 0), strictly monotonic and, for every i > 1: 


1. For every x € X, x is expired at time t; if, and only if, t; > 1 and there is a non-cancelled 
x-request at an earlier time t; = t; — 1. 

2. Tracked clocks are consistent with requests: for every clock x € X, x is tracked x € T; at 
time t; if, and only if, there is an x-request at an earlier tj with t; — 1 < tj < ti. 

3. The fractional regions are correct: f; agrees with |(vi—1 + 6;)]x,m- 


Thus the conditions above assure that Player I provides exactly all expiry information 
requested by Player II in a timely manner, and the fractional regions f; are consistent with 
the requests and time elapse. Note that any play in W{ satisfies 0 < v;(x) < 1 for every i > 1 
and x € T;. Indeed, positivity is due to strict monotonicity, and the upper bound due to the 
conditions Provided Player I satisfies Wj, she wins whenever Player II violates any of 
the conditions below: Let Whim C (A’- B’- Rso)” be the set of plays 7 as in (6) s.t. 


4. Player II plays a proper move iff Player I does so. 

5. Every improper Player II’s x-request b; is a response to Player I’s expiry information for 
x: Y; C O(f;). (Proper x-requests are allowed unconditionally.) 

6. For every clock x € X, the length Player II’s improper x-request chains is < m. This is 
the only component in the winning condition which depends on m. 


Consider the projection function ¢ : (A’-B’-Rso) > (A-B-Rso)U{e} s.t. o((a,__), (b, _), t) = 
eifa@=O or b= 0, and ¢((a,__), (6, __), t) = (a,b, t) if a € A and b € B, which is extended 
homomorphically on finite and infinite plays. The winning condition for Player I in G” is 


Wim = Wg N ($71 (W) U (A - B' - R50)” \ Wgm) - (8) 


Since W, Wj, are NTA® languages, and W] and W]! are k-DTA languages over A’ - B’, 


thanks to the closure properties DTA and NTA® languages the winning condition W% „m is 
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an NTA® language. In what follows, an untimed controller is a 0,0-controller. Then next 
two lemmas state the correctness of the reduction. Our assumption on strict monotonicity 
facilitates the correctness proof since we need not deal with simultaneous events. 


> Lemma 5.2. If there is a winning k,m-controller M for G, then there is a winning 
untimed controller M’ for G’. 


Proof. Let M = (A, B,L, 2,6) be a winning k,m-controller M for G with clocks X = 
{x1,...,x«} and update function 6 : L- A- Reg(X, m) — L- B-2*. We define a winning untimed 
controller M’ = (A’, B’,L’, >, 6’) for G’ with memory locations L’ = {>} U L- Reg(X,m), 
where > is the initial memory location, and remaing memory locations are of the form (¢,r), 
where £Z € L is the current memory location of M and r € Reg(X, m) is the current region of 
M’s clocks. The update function 6’ : L’. A’ > L’ - B’ (we omit regions and clock resets because 
M' has no clocks) is defined as follows. As long as the play is in WJ, we can assume that 
Player I starts with ((a,f0),¢) and t = 0, due to the zero-starting restriction, which allows 
Player II to submit requests at time 0. Consequently, let &' (œ, (a, f)) = ((@, ro) , (b,X)), 
where the next location ¢’ and the response b are determined by 6(€0, a, ro) = (7, b), and the 
set X denotes a request to track all clocks. Then, for every @,r,a,f, let 


(Zr), (a,£)) = (r) , (b, ¥)), (9) 


where the r.h.s. is defined as follows. Let T = dom(f) be the currently tracked clocks, and 
To = O(f) C T the currently expired ones. If f agrees with no successor region of r then 
Player II wins immediately because Player I is violating condition [B] Therefore, assume such 
a successor region f = SUCCyx,m (r, f) exists. We do a case analysis based on whether Player I 
plays a proper or an improper move. 


= Case a € A (proper move): Let 6(¢,a,t) = (V, b, Y) thus defining @’ and (b, Y) in (9). Take 
as the new region r’ = £/Y + Oj. 

= Case a = O (improper move): Let the response be also improper b = O, the control 
location does not change ¢’ = £, the new clocks to be tracked are the expired clocks with 
a short improper chain Y = {x € To | ĉ Ex =1V---Vx=m-lI1}, andr’ =f. 


Consider an infinite M’-conform run in G” (omitting clock valuations since M’ has no clocks) 
p = > (a4, bisti, (&,r1)) (a5, bb, t2, (2, r2)) Hee Runs ( M’), a; = (ai, fi) „b; _ (bi, Yi) £ 


If the induced play a’ = r2p(p’) = (a4, bi, t1) (a, bg, te)--- € (A - B' - Rso)” is not in 
Wj, then Player II wins and we are done. Assume 7’ € W}, and thus conditions are 
satisfied. We argue that 7’ € Wim: The conditions |4]and|5|hold by construction. Aiming at 
demonstrating that [6] holds too, let uo = Ax - 0, and, for i > 0, let 


Li + ĝi+1 ai = (improper round) 
Min = (10) 


(mi + ôi+1)[Y; = 0] a; € A (proper round). 


Thus clock valuations u; are defined exactly as v; in except that only proper requests 
are interpreted as clock resets. We claim that the region information r; is consistent with 
i: ri = [uilx,m (*). Indeed, this is due to 7’ € Wj, and the fact that M’ updates its stored 
region consistently with time elapse: at every round M’ uses the successor region agreeing 
with the current fractional region submitted by Player I, and resets a set of clocks Y exactly 
when she plays a proper move of the form (a, Y) € A- 2%. Since an x-request is submitted by 
M’ only when f = x < m—1, condition [6] holds. 
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In order to show that Player II is winning, consider an M’-conform run p’. It suffices 
to show 7’ = r2p(p’) ¢ d-'(W). Let the proper moves in p' be at indices 1 = i, < ig < 
(i1 = 1 due to zero-starting). In particular, 4; = 4; for i; < i < i1. Consider the run 
p = (lo, Mo) (ai, bizs tir, (Lii, Hir )) (Gin, Din, tin, (Cin; Wig )) +++. Using (*) and the definition of 
M’, one can prove by induction that p is an M-conform run in G. Since M is winning, 
the induced play m = r2p(p) = (ai, , bii, ti) (Gin, bin, tig) ++: E (A B+ Rso)”, satisfies m ¢ W. 
Again by induction one can prove that 7 = ¢(z’). Hence ¢(z’) ¢ W as required. < 


> Lemma 5.3. If there is a winning untimed controller M’ in G', then there is a winning 
k,m-controller M in G. 


5.2 Solving the k-timed synthesis problem 


In this section we prove T heorem [1.3] stating that the k-timed synthesis problem is decidable, 
by reducing it to the 0, 0-synthesis problem, which is decidable by Lemmafp.2] We build on the 
game defined in Section [5.1] Starting from a timed game G = G4, p(W) we define the timed 
game G” = Ga B (W), where the sets of actions A’ and B’ are as in (5p, and the winning 
condition W% is defined as follows. Let Wj! C (A’- B’- Ryo)” be the set of plays where, for 
every clock x € X, improper x-request chains have finite lengths: Wj! = Uren Wila (In 
other words, (A’- B’- Ryo)” \ WF contains plays with an infinite improper x-request chain, 
for some clock x € X.) Then, W% is defined as Wj,,,, from (8), except that WI, is replaced 
by the weaker condition W]! (notice W;/ does not depend on m): 


Wi = Win (971W) U (A - BY Roo)” \ WE) . (11) 


> Lemma 5.4. There is a winning untimed controller for G” if, and only if, there is some 
m E€ N and a winning untimed controller for G’ = G x B: (W; m)- 


Proof. For the “if” direction, we observe that W;’ C W% m, for every m € N. Hence every 
winning untimed controller for G” is also winning for G”. For the “only if” direction, let 
M” = (A’, B',L, £o, ô) be an untimed winning controller in G”. Let m = |A’|-|L| + 1. We 
claim that M” is also winning in G” = Ga, B’(W%, m) for this choice of m. Towards reaching 
a contradiction, suppose M” is losing in G”. An M”-conform run p in G’ (or in G”) and its 
associated play m are of the form 


P= Lo (al, biti, 4) (a5, bb, ta, l2) a Run..(M"), with a; = (ai, f;) and bi = (bi, Yi) 3 

m =r2p(p) = (a4, b1, t1) (a4, bb, ta) «++ € Play( M”). 
Let p; E Run( M”) be the finite prefix of p ending at (ai, bi, ti, 4i). Since M” is losing in G”, 
some M"-conform play 7 above is in W% m- Since M” is winning in G”, m ¢ ¢ 1(W), and 
thus 7 € Wi \ Weim This means that 7 contains an improper x-request chain C of length m, 
for some clock x € X. By the definition of m, there are indices i < j s.t. the the same controller 
memory repeats together with Player I’s action (aj, ¢;) = (ai, £4). In particular f; = fj. 
Since M” is deterministic and its action depends only on Player Is action a’, and control 
location ¢;, a posteriori we have b; = bi; as well. Moreover, as consecutive timestamps in C 
are equal to the first one plus consecutive nonnegative integers, A = t; — t; € {1,..., Mm — 1}. 
Consider the corresponding infix o = (aj,1, 6/41, ti41, lip) (ai, Bi, tj, L) of the run 
p. Since m € Wg m, thanks to conditions |2| and [3| the fractional regions f; = f; con- 
tain all tracked clocks, and they agree with the clock valuations v; and vj, respectively, 
as defined in (7). Let {t; -l<ti, < ti <c < ti <ti} = {ti — v(x) | x E€ dom(f;)} be 
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the timestamps corresponding to the last request of the clocks tracked at time t;, and 
likewise let {t; — 1 < tj < tja <= < tj, < tj} = {tj —v;(x) | x € dom(£;)}. By assump- 
tion, f; = fj, and hence l = l’ and for x € dom(f;) = dom(f;) and 1 < h < l, 
t;, = ti — vi(x) if, and only if, t;, = tj — v;(x) (*). Moreover, since O(f;) = O(f;), we 
have t; = t; — 1 if, and only if, t; = t; — 1 (**). Player I will win in G’ by forcing a 
repetition of the infix o ad libitum. In order to do so, we need to modify its timestamps. 
An automorphism of the structure (R,<,+1) is a monotonic bijection preserving integer 
differences, in the sense that f(z +1) = f(x) +1 for every x € R. Note that such an 
automorphism is uniquely defined by its action on any unit-length interval. We claim that 
there exists such an automorphism f : R + R mapping t; — 1 to tj — 1 (and hence forcedly 
also t; to tj), and each t;, with 1 < h < l to f(t;,) = tj,- This is indeed the case, by (*) 
and (**) all timestamps t,,’s belong to the unit half-open interval |t; — 1,t;) and likewise 
all timestamps t;,,’s belong to [t; — 1,t;). We apply f to a timed word o ++ f(o) by acting 
pointwise on timestamps. Consider the infinite run ø = p;-o- f(o)- f(f(o))--: ; it is 
M"-conform since the controller M” is deterministic. By construction, p’ contains an infinite 
x-request chain, and thus p’ ¢ WF. It remains to argue that p € W} implies p’ € W} as well. 
Let there be a non-cancelled x-request at time t, in p’. If ts < tj — 1, then this request must 
be satisfied at time ts = ts +1 < tj, and thus already in p;-o, which is the case since the 
latter is a prefix of p € Wi. Now assume tj — 1 < ts < tj. Thus t, = tj, for some 1 <h <I. 
By the definition of f, f~'(t,) = ti, < tj — 1 and, thanks to the previous case, the request at 
ti„ is satisfied at t;, +1 due to (*).By applying f we obtain f(t;, +1) = f(t,,) +1 =ts+1, 
and thus the request at time t, is satisfied at time ts + 1 in f(c), as required. The general 
argument for t; +nA +d-—1 < t, < tj +nA +d, where n > 0 and 0 < d < A, is similar, 
using induction on n. < 


Proof of Theorem [1.3] Due to Lemmas [5.2] to [5.4] there is a winning untimed controller 
M” for G” if, and only if there is some m € N and a winning k, m-controller M for G. Thus 
the k-synthesis problem reduces to the 0,0-synthesis problem, and the latter is decidable 
thanks to Lemma < 


6 Future work 


While deterministic separators may need exponentially many clocks (c.f. Example (4.2), we 
do not have a computable upper bound on the number of clocks of the separating automaton 
(if one exists). We leave the DTA separability problem when the number of clocks is not fixed 
in advance as a challenging open problem. In this case, we cannot reduce the separability 
problem to a timed synthesis problem, since the latter is undecidable. 


> Theorem 6.1. The timed synthesis problem is undecidable, and this holds already when 
Player I’s winning condition is a 1-NTA language. 


We leave the computational complexity of separability as future work. 

Deterministic separability can be considered also over infinite timed words. We chose to 
present the case of finite words because it allows us to focus on the essential ingredients of 
this problem. When going to infinite words, new phenomena appear already in the untimed 
setting; for instance, deterministic Büchi automata are less expressive than deterministic 
parity automata, and thus one should additionally specify in the input which priorities can 
be used by the separator; or leave them unspecified and solve a more difficult problem. 

Analogous results about separability of register automata can be obtained with techniques 
similar to the one presented in this paper. We leave such developments for further work. 
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‘A Missing proofs in Section 


We first define synthesis games in the untimed setting, and then formally show that the 
timed synthesis problem for 0,0-controllers is decidable by reduction to the untimed setting. 


Synthesis games. Let A and B be two finite alphabets of actions and let W C (A- B)” be 
a language of w-words over the alphabet A- B. The synthesis game is played by Player I 
and Player II in rounds. At round i > 0, Player I chooses an action a; € A and then Player 
II chooses a response b; € B. The game is played for w rounds, and at doomsday the two 
players have produced an infinite play 7 = a,b ,a2b2--- E€ (A- B)”. Player I wins the game if, 
and only if, 7 € W. 

A controller for Player II is a Mealy machine of the form M = (A, B,L, lo, Ô) where L is 
a finite set of memory locations, lọ € L is the initial memory location, and 6: L- A > L- B is 
the update function mapping the current memory £ € L and input a € A, to d(é,a) = (¢’,d), 
where ¢’ € L is the next memory location and b € B is an output symbol. We define by 
mutual induction the notion of M-conform partial runs Run(M) CL- (A- B-L)* and the 
strategy |M] : Run(M) - A > L - B induced by the controller on conform runs as follows: 
Initially, o € Run(M). Inductively, for every n > 0 and every M-conform partial run 
m = l9(a1b1 lı) +++ (anbnln) E Run( M), for every a € A, [M] (7 - a) = (L, b) for the unique 
l, bs.t. d(€n, a) = (L, b), and T: (abl) € Run(M). An infinite M-conform run is any sequence 
mEL-(A- B-L)” such that every finite prefix thereof is M-conform. By r2p(7) we denote 
the infinite play obtained from a by dropping locations. 

The synthesis problem amounts to decide, given A, B and an w-regular language W C 
(A- B)”, whether there is a controller M s.t. every infinite M-conform run p satisfies 


r2p(p) g W. 


> Theorem A.1 ([9] Theorem 1’]). The synthesis problem is decidable. 
> Lemma 3.1. The 0,0-synthesis problem is decidable. 


Proof. Consider a timed synthesis game GA, ,B(W) and let W’ = untime(W). Winning 
0, 0-controllers in GA ,g(W) are in one-to-one correspondence with winning controllers in 
the corresponding untimed synthesis game with winning condition W’. Indeed, the update 
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function 6 : L- A - Reg(k,m) > L- B- 2* of a k,m-controller M when k = m = 0 can 
equivalently be presented as a function of type L - A > L - B (which we take as the update 
function in the untimed controller M’), and all functions of the latter type arise in this way. 
If M is losing in G4.p(W), then there is a M-conform run p € W, and thus untime(p) is a 
M’-conform run in W’, showing that M’ is losing in the corresponding untimed synthesis 
game. On the other hand, let p’ € W’ be M’-conform. Since M does not look at the 
timestamps, we can choose them accordingly in order to find an M-conform timing thereof 
p € untime'(p’) N W. Untimed synthesis is decidable by Theorem |[A.1] < 


[B7 Missing proofs in Section [5] 


B.1 Zero-starting winning conditions 


A timed language W C (X - Rso)” is zero-starting iff all its words (ao, to) (a1, t1) €E W 
satisfy tọ = 0. We show that solving an arbitrary timed game reduces to solving one 
with a zero-starting winning condition. Let G = G4.p(W) be a timed game, where W C 
(A-B-Rso)”. We design an equivalent timed game G’ = Ga 3(W’), where actions of Player I 
are in A’ = AU {bp}, and the zero-starting winning condition is W’ = {(>,b,0)-w|weW}. 
There is a winning k, m-controller M for G if, and only if, there is a winning k,m-controller 
M’ in G’. Indeed, M’ is obtained from M by responding arbitrarily to every >, and 
conversely, M is obtained from M’ = (A, B,L’, 4,6’) by restricting to A and letting the 
initial location be the unique £o s.t. 8 (4, >, ro) = (€0,_, _). 


B.2 Strictly monotonic winning conditions 


Solving a timed game G = G A,B (W) with a monotonic winning condition W C (A-B-Rso)” 
reduces to solving one G’ = Ga’ p(W’) with a strictly monotonic winning condition W” C 
(A’- B- Ryo)”. We take Player Is action to be in A’ = A- {0,1}. Consider the function @ 
mapping a play in G” of the form 


n’ = ((ao, fo) , bo, to) ((@1, fi) 01, t4) --- € (A - B - Rso)” (12) 
to a corresponding play in G 
T = O(') = (ao, bo, to) (a1, b1, t1) ++» € (A+ B- R50)” (13) 


where the new sequence of timestamps tot; --- € R&, is defined as to = tọ and, inductively, 


tid = ti if fiqi = 0, and ti4d = tas otherwise. Let We = {r | to < ti Kr -} be the 
language of strictly monotonic plays. The winning condition in G” is then 


W'=¢'(W)NWe. 
We argue that the two games have the same winner. 
> Lemma B.1. If Player II has a k,m-winning controller in G, then the same holds in G". 


Proof. Let M = (A, B,L, lo, ô) be a k, m-winning controller for Player II in G. We build 
a winning controller M’ = (A’, B,L’, lg, 6’) for the same player in G’ as follows. Control 
locations are L’ = L- Reg(k, m), the initial location is £5 = (lo, ro), and the transition relation 
6’ is defined, for every input (£, p), (a, f), 9’, as 


1 i (C, p) „b, Y) if f = 0 and ò(L,a, p) = (2, b, Y), 
ô ((£, 9) , (a, f) iP ) = { ( lg!) „b, Y) if f =1 and ll, a, g") = (t, b, Y). 
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Assume 7’ is an M’-conform play as in (12). If it is not strictly monotonic, then x’ ¢ W’ and 
we are done. Otherwise, assume 7’ is strictly monotonic. Towards reaching a contradiction, 
assume 7’ € ¢-!(W). Therefore, r = ¢(7’) € W as in (13). By the definition of 6’, m is 
M-conform, contradicting that M is winning. < 


> Lemma B.2. If Player IT has a k,m-winning controller in G', then the same holds in G. 


Proof. Let M’ = (A’, B,L’, £5, 6’) bea k, m-winning controller for Player II in G”. We assume 
w.l.o.g. that Player II remembers the input region when the flag f = 1 was played last. Thus, 
locations in L’ are of the form (£, p). We build a winning controller M = (A, B,L’, 49, ô) for 
Player II in G where 


Wy (C, p), b,Y) if g = and õ'((L, p), (a, 0) ,¢’) = ((2’, 2) ,8,¥) ; 
Mee) Oe = { (t,g/) bY) ify! #y and 8'((E,9), (a1), 9") = ((,~) bY). 


Let m be a M-conform play and assume towards a contradiction that m € W. We can chose 
sufficiently small increments in order to make all sequences of equal timestamps in 7 become 
strictly monotonic, and choose the flags f; accordingly, and obtain a play 7’ s.t. 7 = (7). 
By the definition of ô, 2’ is M’-conform. But 7’ € W’, contradicting that M’ is winning in 
æ. < 


B.3 Proof of Lemma [5.3] 


> Lemma 5.3. If there is a winning untimed controller M’ in G', then there is a winning 
k,m-controller M in G. 


Complete winning controllers. In what follows we restrict to plays satisfying wi. For 
proving Lemma [5.3] the converse of Lemma [5.2} we need to understand the general shape 
of any possible untimed winning controller M’ = (A’, B’,L’, &, 6’) in G’. We say that 
such an M’ is complete if its control locations are of the form L’ = L - Reg(X,m) - FReg(X), 
lo = (lo, ro, fo), and every M’-conform run is of the form 


(lo, Xo, fo) ((a1, fı), (b1, Y1), tı, (41,41, f1)) (a2, f2), (b2, Y2), ta, (l2, r2, f5)) nTa (14) 


where for each i > 1, the fractional region f; stored in a location agrees with the region 
r;, its domain dom(f/) = {x € X | there is an x-request at time u with t; — 1 < u < ti}, and 
ri = |Mi]x,m for the clock valuations p; as defined in (10). It is not difficult to see that 
complete winning controllers suffice in G”. 


> Lemma B.3. If there is a winning untimed controller M’ in G', then there is a winning 
complete one. 


Proof. When Player I plays a’ = (a,f), the complete controller simulates M’. Additionally, 
it uses the fractional region f and current region r to compute the next region r’ (similarly 
as in the proof of Lemma[5.2) and the next fractional region f’. Let f = SUCCx,m(r, f), hence 
f agrees with ĉ. Then, r’ = # in improper moves, and in proper moves of the form b’ = (b, Y), 
let r’ = ĉ[Y > 0]. Let f” be restriction of f to dom(f) \ O(£), and let dom(£’) = dom(£”) UY 
and f’ = f” [Y > 0] (thus dom(#’) possibly increases in the case of proper move). This ensures 
that f’ agrees with r’ and dom(#’) contains all requested clocks. < 


> Lemma B.4. If there is a complete winning untimed controller M’ in G then there is a 
winning k,m-controller M in G. 
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Proof. Let M’ = (A’, B’,L’, £5, 6’) be a winning complete controller in G” with L’ = L- 
Reg(X,m) - FReg(X), €) = (Z0, ro, fo), and update function of the form 6’: L’- A’ > L’- B’. 
We define a winning k,m-controller M = (A, B,L’, 9,6) in G over the same set of control 
locations L’, and update function ô : L’- A - Reg(X,m) + L’- B- 2*. In order to define one 
step of 6 (which corresponds to a proper move) we need to take many steps of 6’ to skip all 
improper moves preceding the corresponding proper one. Let 


ô((£, r,f) 4, f) = (C alle a „b, Y) ? (15) 
for a € A, be recursively defined as follows: 


1. In the base case, we have r < f and f agrees with f (as a special case we may have 
r =f). We apply the transition function of M’ and obtain directly the r.h.s. in as 
(07,7, £”), b, Y) = 0'((4,r,£) , (a, £)) where r” = r[Y + 0] and f” agrees with r”. 

2. In the next case, we have r < ĉ and f does not agree with Ê. Let f’ be the immediate 
successor of f, and let 6’((¢,r,£) ,(O, f’)) = ((@,r’, f’) , (0, __)), where necessarily r’ = 
SUCCx,m(r, f’), and r’ agrees with f’. Then, we recursively define the r.h.s. in as 
(L, r”, £”),b,Y) = 0((l’,r', f’) , a, £). 

3. In any other case, f is not a successor region of r. Thanks to completeness (14), r is the 
region of the current clock valuation, and thus the controller can be defined arbitrarily 
because Player II is already winning, since Player I is losing due to violation of W4. 


The recursion above ends, and thus ô is well-defined, since there are only finitely many 
regions and ~ is a strict total order on regions. 

Consider an infinite M-conform run p € Run,(M). By the definition of 5, there is a 
corresponding M’-conform run p’ E€ Run,,(M) as in where Player I in G’ plays optimally 
(satisfying WJ), and p arises from p’ by combining together adjacent sequences of improper 
moves: Let the proper moves in p’ be at indices 1 = i < ig <---. Then, p is of the form 


p= ((£0, ro, fo) , Ho) (a1, b tiis (liis Pin Ei) Hin) (a2, ba, big, (Gages ii) , Hiz) ee a where 
aj = $(aj,) and bj = $(b;,). 


Since Player I plays optimally when building p’, the corresponding play m’ = r2p(p’) = 
(a4, b1, t1) (a5, 64, t2)--+ is in Wj, and since M’ is winning, 7’ € Wii, and 7’ ¢ ¢-!(W). If 
the corresponding play m = r2p(p) = (a1, b1, ti, ) (a2, be, ti): +- in G was winning for Player 
I, which means 7 € W, since $(z’) = 7 we would have 7’ € ¢~!(W), a contradiction. < 


[€ Undecidability of timed synthesis for 1-NTA conditions 


In this section we show that the timed synthesis problem is undecidable, thus complementing 
the decidability results in Section [5] about the k-timed synthesis problems when the number 
of clocks k available to Player II is fixed in advance. We show undecidability already in the 
case when the winning condition of Player I is a 1-NTA language. 


> Theorem 6.1. The timed synthesis problem is undecidable, and this holds already when 
Player I’s winning condition is a 1-NTA language. 


We reduce from the finiteness problem for lossy counter machines, which is undecidable 
[39] Theorem 13]. A k-counter lossy counter machine (k-LCM) is a tuple M = (C, Q, qo, A), 
where C = {c1,..., cx} is a set of k counters, Q is a finite set of control locations, qo € Q is 
the initial control location, and A is a finite set of instructions of the form (p, op, q), where op 
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is one of c++, c--, and c 20. A configuration of an LCM M is a pair (p, u), where p € Q is 
a control location, and u € NÝ is a counter valuation. For two counter valuations u,v € NỌ, 
we write u < v if u(c) < v(c) for every counter c € C. The semantics of an LCM M is 
given by a (potentially infinite) transition system over the configurations of M s.t. there is a 


transition (p, js) 2 (q, v), for 6 = (p, op,q) € A, whenever 


1) op = c++ and v < uje ufc) + 1], or 
2) op = c-- and v < uje p(c) — 1], or 
3) op =c 20 and p(c) =0 and v < p. 


The finiteness problem (a.k.a. space boundedness) for an LCM M asks to decide whether the 
reachability set 


Reach(M) = {(p, #) | (qo, Ho) >* (p, u)} 


is finite, where uo = Ac - 0 is the constantly 0 counter valuation. 
> Theorem C.1 ([39] Theorem 13]). The 4-LCM finiteness problem is undecidable. 


We use the following encoding of LCM runs (c.f. [36] Definition 4.6] for a similar encoding) 
into timed words. We assume that there are four lossy counters C = {c1,c2,¢3, ca}. A strictly 
monotonic timed word u (i.e., any two adjacent letters therein occur one strictly after the 
other) over alphabet C whose untiming is of the form untime(u) = c]*c3°c3*c4* encodes the 
counter valuation u € N° defined by p(c;) = nj for every j € {1,2,3,4}. In this case, we 
slightly abuse notation and write u(c;) = nj. A timed word 7 over alphabet A = QUAUC 
is a correct encoding of an LCM run 


es On— ô 
(Pn, Un) = (Daa, tna) =, RS = (po, uo) 


if its untiming is of the form 


untime(74) = pouoðo ++ Pn—1Un—1Ôn—1 PnUn 
and the following conditions are satisfied: 


(C1) for every i, pi € Q, ui € {c1 }" {c2} {c3} {c4}, and 6; is a transition of the form 
Ôi = (Pi+1, OP, Pi); 
(C2) po occurs at time 0; 
(C3) for every 0 < i < n, pj41 occurs exactly one time unit after p;; 
+ 
(C4) 
( 


C5) for every transition 6; = (pi41, Op, pi) and counter cj € {c1,c2,¢3, C4}, 


Ta is strictly monotonic; 


) 
(C5.1) if op = cj ++, then each occurrence of cj in u; is followed by an occurrence of c; in 
uj4+1 after exactly one time unit, perhaps with the exception of the last occurrence of 
cj in uj; consequently, wi41(c;) > ui(e;) — 1. 
(C5.2) if op = cj --, then 
(C5.2.1) each occurrence of c; in u; is followed by an occurrence of c; in uj+41 after exactly 
one time unit, and moreover 
(C5.2.2) the last occurrence of cj in u;+1 does not have a matching occurrence one time unit 
earlier in ui; 


consequently, ui+1ı(c;) > wi(c;) +1. 
(C5.3) if op = cj 2 0, then ui+ı(cj) = u;(cj) = 0. 
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(C5.4) otherwise, each occurrence of cj in w is followed by an occurrence of cj in u;+1 after 
exactly one time unit; consequently, ui41(c;) > ui(c;). 


We design a game where Player I builds encodings of LCM runs as above; accordingly, let 
her actions be A. Player II either plays OK when she believes that the encoding so far does 
not contain any mistake, or she will play an action of the form ERROR, when she believes 
that an error of type e occurred (to be explained below), where 


ee {1, 2 3, 4} U {5.1, Ly eal 5.2.2, 5.3, 5.4} j {c, C2, C3, ca} : {T,, Tə} . 


Let m = a1bıtı --- a;biti € (A- B- R>o)* be the actions played till the end of round i, and let 
TA = Aiti +++ Gntn € (A-Rso)* be the corresponding purported encoding of (a prefix of) an 
LCM run. Let a; be the last action of the form a; = ô = (_,op,__). The most common type 
of error in the encoding is that a c; does not have a matching occurrence of c; one time unit 
later. There are two possible ways in which such a disappearence may occurr: 


Tı: Letter cj occurs at time t = t; — 1 and a; £ cj. 
To: Letter c; occurs at some time t; -1<t<t,—1. 


We require Player II to specify precisely which variant X € {T1, T2} of the error actually 
occurred. It will be convenient to define the predicate P(c;,X) which holds if Player II 
incorrectly marks the disappearance of c;, i.e., either X = Tı and if there is an earlier 
occurrence of cj at time t = t; — 1 then a; = cj, or X = To and there is an earlier occurrence 
of cj at time t € {ti—1, ti} (both conditions are 1-NTA-recognisable). We are now ready to 
define the winning condition of the game. If Player II plays OK but 7, contains an error 
violating one of the conditions |(C1)}/(C5)} then the game ends and Player I wins immediately. 
(Plays of this form can be recognised by a 1-NTA as in [86]).) If Player II plays ERROR., 
then the game ends and Player I wins iff an error of type e did not occur. This is the case if 
any of the following conditions mimicking |(C1)}/(C5)| holds: 


(W1) Player II played b; = ERROR, but is satisfied. 
(W2) Player II played b; = ERROR: but is satisfied. 
(W3) Player II played b; = ERROR3 but is satisfied. 
(W4) Player II played b; = ERROR, but is satisfied. 
(W5) Player II incorrectly marks that condition [(C5)] is not satisfied: 


(W5.1) Player II plays b; = ERRORs.1,c;,x and either op Æ cj ++, or P(cj, X) holds, or there 
is an occurrence of cj at some time t;_1 — 1 < t < t; — 1 which is immediately followed 
by another occurrence of cj (and thus it is not the last one). 

(W5.2) Payer II plays b; = ERRORs.2.n,c;,x and either op ¥ cj --, or 

(W5.2.1) N =1 and P(c;, X), or 

(W5.2.2) N = 2 (X is irrelevant in this case) and: either a; = c; (thus the last occurrence of 
cj has possibly not been seen); or a;_1 = cj, a; # cj (thus the last occurrence has 
been seen), but there is an occurrence of c; at time t = t;_1 — 1 (this last occurrence 
has a match one time unit before). 


(W5.3) Player II plays b; = ERROR5.3,c,,x (X is irrelevant in this case) and either op Æ cj 1 0, 
or there is no occurrence of cj in the last two configurations u;_1, Ui. 
(W5.4) Player II plays b; = ERRORs.4,c;,x and either op involves counter cj, or P(cj, X). 


Finally, if the game goes on forever, then Player I loses. All conditions |(W1)H(W5)|are 1-NTA 
recognisable (condition |(W5.3)]/is even untimed), and so is their disjunction. The following 
lemma states correctness of the reduction. 
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> Lemma C.2. The set of reachable configurations Reach(M) is finite if, and only if, there 
is a winning controller for Player II in the game. 


Proof. For the “only if” direction, assume that Reach( M) is finite. There is some k s.t. every 
reachable configuration (p, u) has size u(c1) + (ce) + u(c3) + (c4) +1 < k. In this case, 
the set of correct timed encodings of runs of M can be recognised by a (k + 2)-DTA A which 
resets clock x; when reading the j-th position of block p;u;ð; (which is of length < k + 2). 
From A we can immediately produce a winning controller for Player II with k clocks: The 
controller reads the word and checks membership in L(A), outputting OK when membership 
holds and the appropriate error ERROR, otherwise. The exact error e can deterministically 
be determined by looking at the values of the clocks x1,...,x%+42 (details omitted). 

For the “if” direction, assume that Reach(M) is infinite, and thus there exist reachable 
configurations with arbitrarily large counter values. Suppose, towards reaching a contradiction, 
that Player II has a winning controller M with k clocks. We can see M as a k-DTA which 
additionally produces at each step an action of the form OK or ERROR, (in a deterministic 
manner, just based on the current input and state). We can produce a k-pTA A by removing 
all transition outputting actions of the form ERROR., remove the output labelling OK from 


the remaining transitions, and make all the remaining reachable control locations accepting. 


Since M is winning, it outputs OK precisely when the encoding is correct. Therefore, the A 
just constructed recognises precisely the set of correct encodings of runs of M. We show that 
this leads to a contradiction, using the fact that M is unbounded. There exists a run 7 of 
M where some counter value exceeds k, and thus when A reads the reversal-encoding of m it 
must forget some timestamp (say) (c1, t) from configuration p;d;u;. Since t is forgotten, we 
can perturb its corresponding (c,,¢+ 1) in pj116;41u;41 to any value (c;,t’) s.t. t —-t #1 
and obtain a new word still accepted by A, but which is no longer the reversal-encoding of a 
run of M, thus reaching the sought contradiction. < 
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